In a recent breakthrough, cybersecurity firm Adlumin has unveiled the existence of PowerDrop, a highly sophisticated PowerShell script that poses a significant risk to the aerospace defense industry.
This malware, named for its elusive nature, combines the techniques commonly associated with both "off-the-shelf" threats and advanced persistent threat (APT) groups.
PowerDrop's distinctiveness lies in its ability to operate undetected by employing an arsenal of advanced evasion tactics. By utilizing deceptive techniques, clever encoding, and encryption, this malware challenges traditional security measures, making it increasingly challenging to detect and mitigate.
Unlike off-the-shelf products, PowerDrop utilizes custom code and employs uncommon methods of communication and data exfiltration. Furthermore, it does not reside on disk and evades detection by executing via Windows Management Instrumentation (WMI), rendering it even more elusive, according to Adlumin's research.
James Lively, an endpoint security research specialist at Tanium, underscores the seriousness of PowerDrop's capabilities and implementation:
"Based on the capabilities of PowerDrop, how they are implemented, and how the threat actor is using PowerDrop in the aerospace industry, it is indicative of APT activity. It is clear that whoever the threat actor is, they intended to remain in the environment for a long time and collect data."
Given the emergence of PowerDrop and the evolving cyber threat landscape, the aerospace defense industry must remain hyper-vigilant in safeguarding its critical infrastructure.
Constant monitoring for anomalous network activities becomes imperative, with a particular focus on identifying unusual pinging to external sources. Early detection of malicious activities and swift mitigation are crucial to prevent data breaches and minimize the potential impact of this sophisticated cyber threat.
Andrew Barratt, Vice President at Coalfire, highlights the risk posed by PowerDrop to the supply chains of primary weapons systems manufacturers:
"We've seen several cases of PowerShell being used by criminal actors due to its incredible feature set and the ability to evade detection by leveraging infrastructure already present in common computing environments.
These are useful because they can be easily dropped into a working environment by email or USB and doesn't require a sophisticated Zero-Day to be burned as part of the attack. The U.S. and allies' primary weapons system's manufacturers should be on high alert for this activity and be critically monitoring their supply chains in case they become a source of attack."
While Adlumin states that it has not identified a specific threat actor, the cybersecurity community has begun to speculate. Craig Jones, Vice President of Security Operations at Ontinue, states:
"The absence of a clear attribution to a specific threat actor further deepens the mystery surrounding PowerDrop. Currently, the community have refrained from pointing fingers, suspicions point towards nation-state adversaries due to the ongoing conflict in Ukraine and their intensified focus on aerospace and missile programs."
It's fairly easy to infer what "nation-state adversaries" Jones is alluding to, but we will wait for further confirmation.
For more information on the PowerDrop malware, see the research from Adlumin, PowerDrop: A New Insidious PowerShell Script for Command and Control Attacks Targets U.S. Aerospace Defense Industry.